On Thu, Jul 17, 2025 at 5:01 PM Will Deacon <w...@kernel.org> wrote:
>
> vhost_vsock_alloc_skb() returns NULL for packets advertising a length
> larger than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE in the packet header. However,
> this is only checked once the SKB has been allocated and, if the length
> in the packet header is zero, the SKB may not be freed immediately.
Can this be triggered from the guest? (I guess yes) Did we need to
consider it as a security issue?
>
> Hoist the size check before the SKB allocation so that an iovec larger
> than VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + the header size is rejected
> outright. The subsequent check on the length field in the header can
> then simply check that the allocated SKB is indeed large enough to hold
> the packet.
>
> Cc: <sta...@vger.kernel.org>
> Fixes: 71dc9ec9ac7d ("virtio/vsock: replace virtio_vsock_pkt with sk_buff")
> Reviewed-by: Stefano Garzarella <sgarz...@redhat.com>
> Signed-off-by: Will Deacon <w...@kernel.org>
> ---
> drivers/vhost/vsock.c | 6 ++++--
> 1 file changed, 4 insertions(+), 2 deletions(-)
>
> diff --git a/drivers/vhost/vsock.c b/drivers/vhost/vsock.c
> index 802153e23073..66a0f060770e 100644
> --- a/drivers/vhost/vsock.c
> +++ b/drivers/vhost/vsock.c
> @@ -344,6 +344,9 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
>
> len = iov_length(vq->iov, out);
>
> + if (len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE + VIRTIO_VSOCK_SKB_HEADROOM)
> + return NULL;
> +
> /* len contains both payload and hdr */
> skb = virtio_vsock_alloc_skb(len, GFP_KERNEL);
> if (!skb)
> @@ -367,8 +370,7 @@ vhost_vsock_alloc_skb(struct vhost_virtqueue *vq,
> return skb;
>
> /* The pkt is too big or the length in the header is invalid */
> - if (payload_len > VIRTIO_VSOCK_MAX_PKT_BUF_SIZE ||
> - payload_len + sizeof(*hdr) > len) {
> + if (payload_len + sizeof(*hdr) > len) {
> kfree_skb(skb);
> return NULL;
> }
> --
> 2.50.0.727.gbf7dc18ff4-goog
>
Thanks
